[X2Go-Dev] CVE-2013-7261: (fwd:) root exploit in X2Go Server
Mike Gabriel
mike.gabriel at das-netzwerkteam.de
Sat Jan 4 17:56:17 CET 2014
Hi all,
I have been noticed about a root exploit in X2Go Server code. This
vulnerability has been (hopefully) fixed in X2Go Server 4.0.1.10 (and
in the LTS release branch 4.0.0.8).
This issue has now been a CVE ID to. Please see below.
All distributors of X2Go Server, please provide package upgrades to
your distribution.
Thanks+Greets,
Mike
----- Weitergeleitete Nachricht von cve-assign at mitre.org -----
Datum: Sat, 4 Jan 2014 11:23:29 -0500 (EST)
Von: cve-assign at mitre.org
Betreff: Re: root exploit in X2Go Server
An: mike.gabriel at das-netzwerkteam.de
Cc: cve-assign at mitre.org
> this is to request or a CVE-ID. We have been reported and we have
> fixed a root exploit in X2Go Server.
>
> In versions of X2Go Server previous to 4.0.0.8 (LTS release branch)
> and previous to 4.0.1.10 (main release branch) a normal user could
> gain root access to X2Go Server machines.
>
> The vulnerability has been fixed by these commits
>
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c2036a1152a7e57286ffeb8e8859177f8de64a33
> http://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=80ff6997550749a64dd5db5684acbd47a4127ab3
Use CVE-2013-7261 for this issue involving root access through the use
of shell metacharacters.
- --
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
----- Ende der weitergeleiteten Nachricht -----
--
DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20140104/5c004cbb/attachment.pgp>
More information about the x2go-dev
mailing list